Cryptanawysis

Cryptanawysis (from de Greekkryptós, "hidden", and anawýein, "to woosen" or "to untie") is de study of anawyzing information systems in order to study de hidden aspects of de systems.[1] Cryptanawysis is used to breach cryptographic security systems and gain access to de contents of encrypted messages, even if de cryptographic key is unknown, uh-hah-hah-hah.

In addition to madematicaw anawysis of cryptographic awgoridms, cryptanawysis incwudes de study of side-channew attacks dat do not target weaknesses in de cryptographic awgoridms demsewves, but instead expwoit weaknesses in deir impwementation, uh-hah-hah-hah.

Even dough de goaw has been de same, de medods and techniqwes of cryptanawysis have changed drasticawwy drough de history of cryptography, adapting to increasing cryptographic compwexity, ranging from de pen-and-paper medods of de past, drough machines wike de British Bombes and Cowossus computers at Bwetchwey Park in Worwd War II, to de madematicawwy advanced computerized schemes of de present. Medods for breaking modern cryptosystems often invowve sowving carefuwwy constructed probwems in pure madematics, de best-known being integer factorization.

Given some encrypted data ("ciphertext"), de goaw of de cryptanawyst is to gain as much information as possibwe about de originaw, unencrypted data ("pwaintext"). It is usefuw to consider two aspects of achieving dis. The first is breaking de system — dat is discovering how de encipherment process works. The second is sowving de key dat is uniqwe for a particuwar encrypted message or group of messages.

Attacks can be cwassified based on what type of information de attacker has avaiwabwe. As a basic starting point it is normawwy assumed dat, for de purposes of anawysis, de generaw awgoridm is known; dis is Shannon's Maxim "de enemy knows de system"[2] — in its turn, eqwivawent to Kerckhoffs' principwe[3]. This is a reasonabwe assumption in practice — droughout history, dere are countwess exampwes of secret awgoridms fawwing into wider knowwedge, variouswy drough espionage, betrayaw and reverse engineering. (And on occasion, ciphers have been broken drough pure deduction; for exampwe, de German Lorenz cipher and de Japanese Purpwe code, and a variety of cwassicaw schemes):[4]

Rewated-key attack: Like a chosen-pwaintext attack, except de attacker can obtain ciphertexts encrypted under two different keys. The keys are unknown, but de rewationship between dem is known; for exampwe, two keys dat differ in de one bit.

Attacks can awso be characterised by de resources dey reqwire. Those resources incwude:[5]

Time — de number of computation steps (e.g., test encryptions) which must be performed.

Memory — de amount of storage reqwired to perform de attack.

Data — de qwantity and type of pwaintexts and ciphertexts reqwired for a particuwar approach.

It's sometimes difficuwt to predict dese qwantities precisewy, especiawwy when de attack isn't practicaw to actuawwy impwement for testing. But academic cryptanawysts tend to provide at weast de estimated order of magnitude of deir attacks' difficuwty, saying, for exampwe, "SHA-1 cowwisions now 252."[6]

Bruce Schneier notes dat even computationawwy impracticaw attacks can be considered breaks: "Breaking a cipher simpwy means finding a weakness in de cipher dat can be expwoited wif a compwexity wess dan brute force. Never mind dat brute-force might reqwire 2128 encryptions; an attack reqwiring 2110 encryptions wouwd be considered a break...simpwy put, a break can just be a certificationaw weakness: evidence dat de cipher does not perform as advertised."[7]

The resuwts of cryptanawysis can awso vary in usefuwness. For exampwe, cryptographer Lars Knudsen (1998) cwassified various types of attack on bwock ciphers according to de amount and qwawity of secret information dat was discovered:

Distinguishing awgoridm — de attacker can distinguish de cipher from a random permutation.

Academic attacks are often against weakened versions of a cryptosystem, such as a bwock cipher or hash function wif some rounds removed. Many, but not aww, attacks become exponentiawwy more difficuwt to execute as rounds are added to a cryptosystem,[8] so it's possibwe for de fuww cryptosystem to be strong even dough reduced-round variants are weak. Nonedewess, partiaw breaks dat come cwose to breaking de originaw cryptosystem may mean dat a fuww break wiww fowwow; de successfuw attacks on DES, MD5, and SHA-1 were aww preceded by attacks on weakened versions.

In academic cryptography, a weakness or a break in a scheme is usuawwy defined qwite conservativewy: it might reqwire impracticaw amounts of time, memory, or known pwaintexts. It awso might reqwire de attacker be abwe to do dings many reaw-worwd attackers can't: for exampwe, de attacker may need to choose particuwar pwaintexts to be encrypted or even to ask for pwaintexts to be encrypted using severaw keys rewated to de secret key. Furdermore, it might onwy reveaw a smaww amount of information, enough to prove de cryptosystem imperfect but too wittwe to be usefuw to reaw-worwd attackers. Finawwy, an attack might onwy appwy to a weakened version of cryptographic toows, wike a reduced-round bwock cipher, as a step towards breaking of de fuww system.[7]

Cryptanawysis has coevowved togeder wif cryptography, and de contest can be traced drough de history of cryptography—new ciphers being designed to repwace owd broken designs, and new cryptanawytic techniqwes invented to crack de improved schemes. In practice, dey are viewed as two sides of de same coin: secure cryptography reqwires design against possibwe cryptanawysis.[citation needed]

Successfuw cryptanawysis has undoubtedwy infwuenced history; de abiwity to read de presumed-secret doughts and pwans of oders can be a decisive advantage. For exampwe, in Engwand in 1587, Mary, Queen of Scots was tried and executed for treason as a resuwt of her invowvement in dree pwots to assassinate Ewizabef I of Engwand. The pwans came to wight after her coded correspondence wif fewwow conspirators was deciphered by Thomas Phewippes.

In Worwd War I, de breaking of de Zimmermann Tewegram was instrumentaw in bringing de United States into de war. In Worwd War II, de Awwies benefitted enormouswy from deir joint success cryptanawysis of de German ciphers — incwuding de Enigma machine and de Lorenz cipher — and Japanese ciphers, particuwarwy 'Purpwe' and JN-25. 'Uwtra' intewwigence has been credited wif everyding between shortening de end of de European war by up to two years, to determining de eventuaw resuwt. The war in de Pacific was simiwarwy hewped by 'Magic' intewwigence.[9]

Governments have wong recognized de potentiaw benefits of cryptanawysis for intewwigence, bof miwitary and dipwomatic, and estabwished dedicated organizations devoted to breaking de codes and ciphers of oder nations, for exampwe, GCHQ and de NSA, organizations which are stiww very active today. In 2004, it was reported dat de United States had broken Iranian ciphers. (It is unknown, however, wheder dis was pure cryptanawysis, or wheder oder factors were invowved:[10]).

Freqwency anawysis is de basic toow for breaking most cwassicaw ciphers. In naturaw wanguages, certain wetters of de awphabet appear more often dan oders; in Engwish, "E" is wikewy to be de most common wetter in any sampwe of pwaintext. Simiwarwy, de digraph "TH" is de most wikewy pair of wetters in Engwish, and so on, uh-hah-hah-hah. Freqwency anawysis rewies on a cipher faiwing to hide dese statistics. For exampwe, in a simpwe substitution cipher (where each wetter is simpwy repwaced wif anoder), de most freqwent wetter in de ciphertext wouwd be a wikewy candidate for "E". Freqwency anawysis of such a cipher is derefore rewativewy easy, provided dat de ciphertext is wong enough to give a reasonabwy representative count of de wetters of de awphabet dat it contains.[14]

Cryptanawysis of enemy messages pwayed a significant part in de Awwied victory in Worwd War II. F. W. Winterbodam, qwoted de western Supreme Awwied Commander, Dwight D. Eisenhower, at de war's end as describing Uwtra intewwigence as having been "decisive" to Awwied victory.[18]Sir Harry Hinswey, officiaw historian of British Intewwigence in Worwd War II, made a simiwar assessment about Uwtra, saying dat it shortened de war "by not wess dan two years and probabwy by four years"; moreover, he said dat in de absence of Uwtra, it is uncertain how de war wouwd have ended.[19]

In practice, freqwency anawysis rewies as much on winguistic knowwedge as it does on statistics, but as ciphers became more compwex, madematics became more important in cryptanawysis. This change was particuwarwy evident before and during Worwd War II, where efforts to crack Axis ciphers reqwired new wevews of madematicaw sophistication, uh-hah-hah-hah. Moreover, automation was first appwied to cryptanawysis in dat era wif de Powish Bomba device, de British Bombe, de use of punched card eqwipment, and in de Cowossus computers — de first ewectronic digitaw computers to be controwwed by a program.[20][21]

Wif reciprocaw machine ciphers such as de Lorenz cipher and de Enigma machine used by Nazi Germany during Worwd War II, each message had its own key. Usuawwy, de transmitting operator informed de receiving operator of dis message key by transmitting some pwaintext and/or ciphertext before de enciphered message. This is termed de indicator, as it indicates to de receiving operator how to set his machine to decipher de message.[22]

Poorwy designed and impwemented indicator systems awwowed first Powish cryptographers[23] and den de British cryptographers at Bwetchwey Park[24] to break de Enigma cipher system. Simiwar poor indicator systems awwowed de British to identify depds dat wed to de diagnosis of de Lorenz SZ40/42 cipher system, and de comprehensive breaking of its messages widout de cryptanawysts seeing de cipher machine.[25]

Sending two or more messages wif de same key is an insecure process. To a cryptanawyst de messages are den said to be "in depf."[26] This may be detected by de messages having de same indicator by which de sending operator informs de receiving operator about de key generator initiaw settings for de message.[27]

Generawwy, de cryptanawyst may benefit from wining up identicaw enciphering operations among a set of messages. For exampwe, de Vernam cipher enciphers by bit-for-bit combining pwaintext wif a wong key using de "excwusive or" operator, which is awso known as "moduwo-2 addition" (symbowized by ⊕ ):

Pwaintext ⊕ Key = Ciphertext

Deciphering combines de same key bits wif de ciphertext to reconstruct de pwaintext:

Ciphertext ⊕ Key = Pwaintext

(In moduwo-2 aridmetic, addition is de same as subtraction, uh-hah-hah-hah.) When two such ciphertexts are awigned in depf, combining dem ewiminates de common key, weaving just a combination of de two pwaintexts:

Ciphertext1 ⊕ Ciphertext2 = Pwaintext1 ⊕ Pwaintext2

The individuaw pwaintexts can den be worked out winguisticawwy by trying probabwe words (or phrases), awso known as "cribs," at various wocations; a correct guess, when combined wif de merged pwaintext stream, produces intewwigibwe text from de oder pwaintext component:

(Pwaintext1 ⊕ Pwaintext2) ⊕ Pwaintext1 = Pwaintext2

The recovered fragment of de second pwaintext can often be extended in one or bof directions, and de extra characters can be combined wif de merged pwaintext stream to extend de first pwaintext. Working back and forf between de two pwaintexts, using de intewwigibiwity criterion to check guesses, de anawyst may recover much or aww of de originaw pwaintexts. (Wif onwy two pwaintexts in depf, de anawyst may not know which one corresponds to which ciphertext, but in practice dis is not a warge probwem.) When a recovered pwaintext is den combined wif its ciphertext, de key is reveawed:

Pwaintext1 ⊕ Ciphertext1 = Key

Knowwedge of a key of course awwows de anawyst to read oder messages encrypted wif de same key, and knowwedge of a set of rewated keys may awwow cryptanawysts to diagnose de system used for constructing dem.[25]

The Bombe repwicated de action of severaw Enigma machines wired togeder. Each of de rapidwy rotating drums, pictured above in a Bwetchwey Park museum mockup, simuwated de action of an Enigma rotor.

Even dough computation was used to great effect in Cryptanawysis of de Lorenz cipher and oder systems during Worwd War II, it awso made possibwe new medods of cryptography orders of magnitude more compwex dan ever before. Taken as a whowe, modern cryptography has become much more impervious to cryptanawysis dan de pen-and-paper systems of de past, and now seems to have de upper hand against pure cryptanawysis.[citation needed] The historian David Kahn notes:

Many are de cryptosystems offered by de hundreds of commerciaw vendors today dat cannot be broken by any known medods of cryptanawysis. Indeed, in such systems even a chosen pwaintext attack, in which a sewected pwaintext is matched against its ciphertext, cannot yiewd de key dat unwock[s] oder messages. In a sense, den, cryptanawysis is dead. But dat is not de end of de story. Cryptanawysis may be dead, but dere is - to mix my metaphors - more dan one way to skin a cat.

Kahn goes on to mention increased opportunities for interception, bugging, side channew attacks, and qwantum computers as repwacements for de traditionaw means of cryptanawysis. In 2010, former NSA technicaw director Brian Snow said dat bof academic and government cryptographers are "moving very swowwy forward in a mature fiewd."[29]

However, any postmortems for cryptanawysis may be premature. Whiwe de effectiveness of cryptanawytic medods empwoyed by intewwigence agencies remains unknown, many serious attacks against bof academic and practicaw cryptographic primitives have been pubwished in de modern era of computer cryptography:[citation needed]

In 2008, researchers conducted a proof-of-concept break of SSL using weaknesses in de MD5hash function and certificate issuer practices dat made it possibwe to expwoit cowwision attacks on hash functions. The certificate issuers invowved changed deir practices to prevent de attack from being repeated.

Asymmetric cryptography (or pubwic key cryptography) is cryptography dat rewies on using two (madematicawwy rewated) keys; one private, and one pubwic. Such ciphers invariabwy rewy on "hard" madematicaw probwems as de basis of deir security, so an obvious point of attack is to devewop medods for sowving de probwem. The security of two-key cryptography depends on madematicaw qwestions in a way dat singwe-key cryptography generawwy does not, and conversewy winks cryptanawysis to wider madematicaw research in a new way.[citation needed]

Asymmetric schemes are designed around de (conjectured) difficuwty of sowving various madematicaw probwems. If an improved awgoridm can be found to sowve de probwem, den de system is weakened. For exampwe, de security of de Diffie–Hewwman key exchange scheme depends on de difficuwty of cawcuwating de discrete wogaridm. In 1983, Don Coppersmif found a faster way to find discrete wogaridms (in certain groups), and dereby reqwiring cryptographers to use warger groups (or different types of groups). RSA's security depends (in part) upon de difficuwty of integer factorization — a breakdrough in factoring wouwd impact de security of RSA.[citation needed]

In 1980, one couwd factor a difficuwt 50-digit number at an expense of 1012 ewementary computer operations. By 1984 de state of de art in factoring awgoridms had advanced to a point where a 75-digit number couwd be factored in 1012 operations. Advances in computing technowogy awso meant dat de operations couwd be performed much faster, too. Moore's waw predicts dat computer speeds wiww continue to increase. Factoring techniqwes may continue to do so as weww, but wiww most wikewy depend on madematicaw insight and creativity, neider of which has ever been successfuwwy predictabwe. 150-digit numbers of de kind once used in RSA have been factored. The effort was greater dan above, but was not unreasonabwe on fast modern computers. By de start of de 21st century, 150-digit numbers were no wonger considered a warge enough key size for RSA. Numbers wif severaw hundred digits were stiww considered too hard to factor in 2005, dough medods wiww probabwy continue to improve over time, reqwiring key size to keep pace or oder medods such as ewwiptic curve cryptography to be used.[citation needed]

Anoder distinguishing feature of asymmetric schemes is dat, unwike attacks on symmetric cryptosystems, any cryptanawysis has de opportunity to make use of knowwedge gained from de pubwic key.[30]

Quantum computers, which are stiww in de earwy phases of research, have potentiaw use in cryptanawysis. For exampwe, Shor's Awgoridm couwd factor warge numbers in powynomiaw time, in effect breaking some commonwy used forms of pubwic-key encryption, uh-hah-hah-hah.[31]

By using Grover's awgoridm on a qwantum computer, brute-force key search can be made qwadraticawwy faster. However, dis couwd be countered by doubwing de key wengf.[32]